Security Basics mailing list archives
Re: what should I do when....
From: "Dan Anderson" <dan-anderson () cox net>
Date: Tue, 15 Jul 2008 16:02:01 -0500
On Tue, Jul 15, 2008 at 1:03 PM, Adriel Desautels <adriel () netragard com> wrote:
Ansgar, I almost feel like you are trying to create an argument just for the sake of creating an argument.
I've been watching this thread with some amusement for almost 2 weeks...It seems to me that you _both_ are to the point where you continue with this discussion just to hear yourselves talk. 1. Adriel - I know what you are saying - I hear "My network is secure - we have a firewall" all too often too - it's wrong to think that, we all know that a firewall is not a magic security cure-all - mitigating all attack vectors. Properly configured and maintained firewalls can certainly make networks more secure, but holistic security requires a risk based approach. IDS/IPS is not a magic cure-all either; security is a big arena and can only be measured in terms of being more or less secure - there are no cure-alls there is only "best practices" and due-care/due-diligence efforts (of which having a firewall is part). 2. The stated issue here was something about seeing scanning activity in firewall logs (which is normal - the Internet is a threat rich environment) a properly configured and maintained firewall is an appropriate device to mitigate this threat to some degree. IDS/IPS could give you more information/protection from the portion of the scan that is not being blocked by the firewall. 3. A firewall is indeed a "security device" - there are lots of threats, and lots of "security devices" to counter those threats - a brick is a "security device" when properly assembled (along with some friends) into 6 walls. 4. (Warning: Another bad analogy approaches) Continuing to rail against firewalls is like saying diodes are useless because they are not microprocessors. If the OP still cares - Adriel's advice from the 8th was good (paraphrased with my 2 cents thrown in): 1. If it really bothers you and you are really sure that you don't care if legitimate traffic from the other network gets blocked then you can block them in your firewall - In my experience there is very little point to doing this though (you'll have to do another IP tomorrow, and another the day after, etc - good for job security, but really not much point otherwise and it makes a management nightmare (tracking and managing 10,000 blocked IPs, dealing with complaints from Canadians who can no longer go to your site, etc)). 2. You can send the logs to the abuse@ address for the company and network provider - again, not much payoff, if you're lucky they might look into it...It will probably turn out to be someone with a virus or part of a botnet - you can feel good that you have helped shutdown 0.0...01% of this sort of activity. Again, basically pointless. 3. If scanning activity does bother you that much you probably should re-evaluate your security infrastructure. When I worry about something it generally turns out to be well-founded. Dan
Current thread:
- RE: what should I do when...., (continued)
- RE: what should I do when.... Nick Vaernhoej (Jul 11)
- RE: what should I do when.... Sergio Castro (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Message not available
- Fwd: what should I do when.... Eric Starace (Jul 11)
- Re: Fwd: what should I do when.... Adriel Desautels (Jul 12)
- Re: what should I do when.... ॐ aditya mukadam ॐ (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 15)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 15)
- Re: what should I do when.... Dan Anderson (Jul 15)
- RE: what should I do when.... Scott Race (Jul 15)
- Re: what should I do when.... Adriel Desautels (Jul 15)
- RE: what should I do when.... Rivest, Philippe (Jul 10)
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 10)
- Re: what should I do when.... Adriel Desautels (Jul 11)
- Message not available
- Re: what should I do when.... Ansgar -59cobalt- Wiechers (Jul 11)
- RE: what should I do when.... Worrell, Brian (Jul 11)
- Re: what should I do when.... Adriel Desautels (Jul 07)
- Re: what should I do when.... Dave Koontz (Jul 08)
- Re: what should I do when.... Gregory Boyce (Jul 07)